Find which site was authenticated in OAuth Screen

I’m building an integration with Jira and I’m trying to retrieve which site was authenticated for on the screen. I can get a list of accessible resources using this endpoint, but it doesn’t contain details on which of those resources have been authenticated, so it’s unclear which cloud_id should be used to retrieve logs. I’m looking for and endpoint that returns the cloud_id for sites that have been authenticated. Help is greatly appreciated, thanks!

@andreapiazza,

All of those resources have been authorized. The endpoints involved in the 3LO flow do not return any information about which one was selected.

Thanks for the clarification, @ibuchanan. When we hit the /accessible_resources endpoint, we’re able to see all sites available even though they haven’t been authenticated. Is there an endpoint that will show us which sites have been authenticated? Is there a recommended approach to determining which endpoints have been authenticated? Currently, we’re making requests to each accessible resource and see which returns 200. Is there a better way to only make requests to sites that have been authenticated? Will be be rate limited for making requests to multiple sites, even if they result in 403 errors?

[
  {
        "id": "1234",
        "url": "https://myurl.com", // user **did not** authenticate for this site, we are unable to get logs from this site.
        "name": "test",
        "scopes": [
            "read:audit-log:confluence"
        ],
        "avatarUrl": "test.png"
    },

{
        "id": "5678", // user **did** authenticate for this site, we want to make requests with this id
        "url": "https://testsite2.com", // How can we tell this url was authorized for on the screen
        "name": "test2",
        "scopes": [
            "read:audit-log:jira"
        ],
        "avatarUrl": "test2.png"
    }
}
]

Thank you, we really appreciate your help!

@andreapiazza,

I’m not entirely sure I understand your question. In part because you keep referring to “authenticated” sites. Do you mean “authorized”?

Assuming so, I’ve seen a few cases where developers have seen sites they did not realized had been authorized. However, if you start with a new client id & secret, and start with only the read:me scope, you’ll notice the array of accessible resources starts empty. The accessible resources array is intended to be the set of all sites for which the user authorized your app.

That said, I cannot explain why an authorized site would return a 403. Debugging this might require specific knowledge of your client id, secret, and some trace ids, in which case, you will need to open a developer support case so you could safely share those details with our engineers.

Thanks @ibuchanan, sorry for the confusion. When I say “authenticated”, I mean a user has gone through the OAuth flow for each site in the accessible_resources. That endpoint shows which sites are authorized for the app, but each site in the accessible resource array also needs someone to go through the OAuth flow. Is there an endpoint that shows which cloud id is authorized and authenticated? From what I’m seeing, the accessible_resources displays which sites can be authenticated, not which sites are authenticated.

@andreapiazza,

Oh, interesting. If I understand correctly, you get the 403 when the user who performed the OAuth flow is not an admin? So, even if you ask for the read:audit-log:jira scope, that’s not a guarantee the user has the right permissions. To my knowledge, the “check for 403” logic is already optimal.

There endpoints you could use to interrogate the user’s permissions. For example, your client can get current user using GET /rest/api/3/myself with ?expand=groups,applicationRoles. However, that alone expands the scopes your app needs (read:jira-user) without actually fixing anything.

Perhaps the best error message you could provide is in the Jira Platform REST API docs:

Permissions required: Administer Jira global permission.

And if you propagate that message with links, that’s the best chance users will have to get an admin to perform the action.

As for “selecting a site”, I can only elaborate my initial response: there are no endpoints, payloads, or otherwise that will let your client ask which site was most recently selected during the OAuth 2 flow.

Thanks @ibuchanan, I appreciate your help!